|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
ro8in Smarty n00b
Joined: 25 Aug 2009 Posts: 4
|
Posted: Wed Jul 04, 2012 9:47 am Post subject: Code injection leak! |
|
|
I think there might be a code injection leak in Smarty. We are currently facing code injection problems on some of our high traffic sites. We are still figuring out where its coming from. (doing file audits etc.)
The file where the code is being injected is smarty_internal_templatebase.php
It might not be smarty, but since it happened on different installs running different code with only smarty being the same we suspect the problem is within smarty itself.
Just to give you guys heads up. |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Wed Jul 04, 2012 10:14 am Post subject: |
|
|
Please elaborate. I don't see any (obvious) point-of-entry for any sort of injection. Besides the data you pass in via the API, Smarty internally only checks a few $_COOKIE and $_SERVER values - without outputting or eval()ing their content. The only possible injection I see is is on line 322 Code: | header($_SERVER['SERVER_PROTOCOL'].' 304 Not Modified'); | If you - somehow? - managed to populate that variable, you could initiate an HTTP relocation. We'll be looking into that, but I'm pretty sure this is not what you're referring to. _________________ Twitter |
|
Back to top |
|
ro8in Smarty n00b
Joined: 25 Aug 2009 Posts: 4
|
Posted: Wed Jul 04, 2012 10:19 am Post subject: |
|
|
Basically what happens is that the file smarty_internal_templatebase.php is altered and some code is being added. This code is a base64 hash which eventually decodes to a popup script on all template cache files.
How they are altering this file I do not yet know at this point.. We are still working on finding their point of entry. |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Wed Jul 04, 2012 10:27 am Post subject: |
|
|
Ok, So it is not smarty_internal_templatebase.php that has a hole, but some hole somwhere allowed an attacker to modify smarty_internal_templatebase.php to run malicious code.
Now that could be anything, anywhere. They just chose smarty_internal_templatebase.php because it contains the fetch() method, which is a central piece of our rendering pipeline.
The attacker might as well have gained access to your system through something like phpMyAdmin (just an example i pulled from thin air!) and queried the disk for files it knew to modify (like our smarty_internal_templatebase.php, some central part of wordpress, …). _________________ Twitter |
|
Back to top |
|
ro8in Smarty n00b
Joined: 25 Aug 2009 Posts: 4
|
Posted: Wed Jul 04, 2012 12:58 pm Post subject: |
|
|
Yes that's exactly the case.
I don't know yet if the actual leak is within Smarty itself.
Smarty being guilty of the leak only got higher on the list because of the fact that it happened to 2 completely different systems with the only thing in common being Smarty. Besides the fact that in both cases only Smarty itself is affected.
But as of now its not a confirmed leak yet.. We are still looking into it. |
|
Back to top |
|
rodneyrehm Administrator
Joined: 30 Mar 2007 Posts: 674 Location: Germany, border to Switzerland
|
Posted: Wed Jul 04, 2012 1:11 pm Post subject: |
|
|
I don't like the odds of this being a smarty issue, even though it appears to have compromised 2 distinct systems of yours. Most notably because there would've been a bunch of complaints about this from other developers as well. That said, I have a couple of questions for you:
a) is smarty accessible through HTTP (read: is it inside htdocs or not)
b) are the compiled templates accessible through HTTP (again, within htdocs or not)
c) are the two projects sharing (similar, not necessarily identical) templates or plugins?
d) are you passing any input (like $_GET['foo']) to something that might end up being a string: or eval: resource or {eval} (and thus actually evaluated as PHP)?
e) do you have things like register_globals on [truly don't see how smarty would be susceptible to that, tough]?
f) have you checked your (apache?) logs for "funky" requests?
g) are the two systems running on the same physical or virtual os? possibly even accessing centralized code? What else is running on this system?
h) What PHP version are we talking about?
i) What Smarty version are we talking about? _________________ Twitter |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|